The unauthorized interface /runBatchCase directly spliced the parameter filename as the path to read the file, resulting in arbitrary file reading springboot.HttpImpl#getLogdDetail
Unauthorized interface /runBatchCase, use fastjson to decode RunBatchCaseEntity, and directly splice the incoming parameter toString() into the execution command springboot.HttpImpl#runBatchCase
The objects RunBatchCaseEntity are properties of type String, leading to command injection springboot.model.RunBatchCaseEntity
Unauthorized interface /runTask, use fastjson to decode RunTaskEntity, and directly splice the incoming parameter toString() into the execution command springboot.HttpImpl#runTask
Objects RunTaskEntity are properties of type String, malicious commands can be injected into String properties, resulting in command injection springboot.model.RunTaskEntity